Skip to content

CI: Add ansys/actions/check-actions-security action and related fixes #6743

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
Oct 13, 2025
Merged

CI: Add ansys/actions/check-actions-security action and related fixes #6743

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
da80f13
ci: Use argument persist-credentials: false with actions/checkout
ecoussoux-ansys Oct 7, 2025
10ea390
ci: Remove template expansions from inside job runs
ecoussoux-ansys Oct 7, 2025
d8a8a52
ci: Avoid overly broad permissions for workflow jobs - Add specific o…
ecoussoux-ansys Oct 7, 2025
91ec1c4
ci: Fix anonymous-definition of commenter job
ecoussoux-ansys Oct 8, 2025
1431aec
ci: Fix spoofable bot condition in block-dependabot job
ecoussoux-ansys Oct 8, 2025
9857bf5
ci: Add actions security check to workflow
ecoussoux-ansys Oct 8, 2025
9f5f813
chore: adding changelog file 6743.maintenance.md [dependabot-skip]
pyansys-ci-bot Oct 8, 2025
af08ee3
ci: Updating permissions for check-pr-title job
ecoussoux-ansys Oct 10, 2025
1fc144b
Merge branch 'main' into ci/add-actions-security-check
ecoussoux-ansys Oct 10, 2025
bcc3027
Merge branch 'main' into ci/add-actions-security-check
SMoraisAnsys Oct 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
90 changes: 77 additions & 13 deletions .github/workflows/ci_cd.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions: {} # Disable default permissions

jobs:

update-changelog:
Expand All @@ -43,6 +45,8 @@ jobs:
vulnerabilities:
name: "Vulnerabilities"
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: ansys/actions/check-vulnerabilities@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
with:
Expand All @@ -52,6 +56,18 @@ jobs:
dev-mode: ${{ github.ref != 'refs/heads/main' }}
extra-targets: 'all'

actions-security:
name: "Check actions security"
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: ansys/actions/check-actions-security@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
with:
generate-summary: true
token: ${{ secrets.GITHUB_TOKEN }}
auditing-level: 'high'

# NOTE: We do not allow dependabot to trigger the CI/CD pipeline automatically.
# This is to mitigate supply chain attacks, where a malicious dependency update
# could execute arbitrary code in our build environment.
Expand All @@ -62,7 +78,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Exit if dependabot triggered the workflow
if: github.triggering_actor == 'dependabot[bot]'
if: github.event.pull_request.user.login == 'dependabot[bot]'
run: |
echo "::warning::Dependabot is not allowed to trigger this workflow. Please review carefully the changes before running the workflow manually."
exit 1
Expand All @@ -87,6 +103,8 @@ jobs:
name: Check the title of the PR (if needed)
runs-on: ubuntu-latest
needs: [block-pyansys-ci-bot]
permissions:
pull-requests: read
steps:
- name: Check the title of the pull request
if: github.event_name == 'pull_request'
Expand All @@ -103,6 +121,8 @@ jobs:
name: Documentation style check
runs-on: ubuntu-latest
needs: [pr-title]
permissions:
contents: read
steps:
- name: Check documentation style
uses: ansys/actions/doc-style@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
Expand Down Expand Up @@ -157,8 +177,10 @@ jobs:
use-python-cache: false
- name: Import python package
shell: bash
env:
ACTIVATE_VENV: ${{ steps.build-wheelhouse.outputs.activate-venv }}
run: |
${{ steps.build-wheelhouse.outputs.activate-venv }}
${ACTIVATE_VENV}
python -c "import ansys.aedt.core; from ansys.aedt.core import __version__"

unit-tests:
Expand Down Expand Up @@ -228,6 +250,8 @@ jobs:
steps:
- name: Install Git and checkout project
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false

- name: Setup Python
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
Expand Down Expand Up @@ -267,9 +291,10 @@ jobs:
- name: Run tests marked with 'solvers'
env:
PYTHONMALLOC: malloc
PYTEST_ARGUMENTS: ${{ env.PYTEST_ARGUMENTS }}
run: |
.venv\Scripts\Activate.ps1
pytest ${{ env.PYTEST_ARGUMENTS }} --timeout=600 -m solvers
pytest ${PYTEST_ARGUMENTS} --timeout=600 -m solvers

- uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
with:
Expand Down Expand Up @@ -299,24 +324,30 @@ jobs:
steps:
- name: Install Git and checkout project
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false

- name: Setup Python
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
with:
python-version: ${{ env.MAIN_PYTHON_VERSION }}

- name: Create virtual environment
env:
ANSYSEM: ${{ env.ANSYSEM_ROOT252 }}
run: |
export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
python -m venv .venv
source .venv/bin/activate
python -m pip install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org pip -U
python -m pip install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org wheel setuptools -U
python -c "import sys; print(sys.executable)"

- name: Install pyaedt and tests dependencies
env:
ANSYSEM: ${{ env.ANSYSEM_ROOT252 }}
run: |
export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
source .venv/bin/activate
pip install .[tests]

Expand All @@ -329,10 +360,13 @@ jobs:
done

- name: Run tests marked with 'solvers'
env:
ANSYSEM: ${{ env.ANSYSEM_ROOT252 }}
PYTEST_ARGUMENTS: ${{ env.PYTEST_ARGUMENTS }}
run: |
export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
source .venv/bin/activate
pytest ${{ env.PYTEST_ARGUMENTS }} --timeout=600 -m solvers
pytest ${PYTEST_ARGUMENTS} --timeout=600 -m solvers

- uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
with:
Expand All @@ -359,6 +393,8 @@ jobs:
steps:
- name: Install Git and checkout project
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false

- name: Setup Python
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
Expand Down Expand Up @@ -435,24 +471,30 @@ jobs:
steps:
- name: Install Git and checkout project
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false

- name: Setup Python
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
with:
python-version: ${{ env.MAIN_PYTHON_VERSION }}

- name: Create virtual environment
env:
ANSYSEM: ${{ env.ANSYSEM_ROOT252 }}
run: |
export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
python -m venv .venv
source .venv/bin/activate
python -m pip install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org pip -U
python -m pip install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org wheel setuptools -U
python -c "import sys; print(sys.executable)"

- name: Install pyaedt and tests dependencies
env:
ANSYSEM: ${{ env.ANSYSEM_ROOT252 }}
run: |
export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
source .venv/bin/activate
pip install .[tests]

Expand Down Expand Up @@ -510,6 +552,8 @@ jobs:
steps:
- name: Install Git and checkout project
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false

- name: Setup Python
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
Expand Down Expand Up @@ -587,24 +631,30 @@ jobs:
steps:
- name: Install Git and checkout project
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false

- name: Setup Python
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
with:
python-version: ${{ env.MAIN_PYTHON_VERSION }}

- name: Create virtual environment
env:
ANSYSEM: ${{ env.ANSYSEM_ROOT252 }}
run: |
export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
python -m venv .venv
source .venv/bin/activate
python -m pip install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org pip -U
python -m pip install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org wheel setuptools -U
python -c "import sys; print(sys.executable)"

- name: Install pyaedt and tests dependencies
env:
ANSYSEM: ${{ env.ANSYSEM_ROOT252 }}
run: |
export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
source .venv/bin/activate
pip install .[tests]

Expand Down Expand Up @@ -659,6 +709,8 @@ jobs:
steps:
- name: Install Git and checkout project
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false

- name: Setup Python
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
Expand Down Expand Up @@ -735,24 +787,30 @@ jobs:
steps:
- name: Install Git and checkout project
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false

- name: Setup Python
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
with:
python-version: ${{ env.MAIN_PYTHON_VERSION }}

- name: Create virtual environment
env:
ANSYSEM: ${{ env.ANSYSEM_ROOT252 }}
run: |
export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
python -m venv .venv
source .venv/bin/activate
python -m pip install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org pip -U
python -m pip install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org wheel setuptools -U
python -c "import sys; print(sys.executable)"

- name: Install pyaedt and tests dependencies
env:
ANSYSEM: ${{ env.ANSYSEM_ROOT252 }}
run: |
export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
source .venv/bin/activate
pip install .[tests]

Expand Down Expand Up @@ -812,6 +870,8 @@ jobs:
steps:
- name: Install Git and checkout project
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false

- name: Setup Python
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
Expand Down Expand Up @@ -885,6 +945,8 @@ jobs:
steps:
- name: Install Git and checkout project
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false

- name: Setup Python
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
Expand Down Expand Up @@ -1011,6 +1073,8 @@ jobs:
if: github.event_name == 'push' && contains(github.ref, 'refs/tags')
runs-on: ubuntu-latest
needs: [release]
permissions:
contents: write
steps:
- name: Deploy the stable documentation
uses: ansys/actions/doc-deploy-stable@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/label.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,13 +15,17 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions: {} # Disable default permissions

jobs:

label-syncer:
name: Syncer
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1.3.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Expand Down Expand Up @@ -76,6 +80,7 @@ jobs:
labels: testing

commenter:
name: Suggest labels if none assigned
runs-on: ubuntu-latest
permissions:
contents: read
Expand Down
Loading
Loading